From c6f91f8bd0edb9be84995cda9392ee475c5cd925 Mon Sep 17 00:00:00 2001
From: Brian Conry <bconry@isc.org>
Date: Wed, 30 Oct 2019 14:16:04 -0500
Subject: [PATCH] arm: Add an explanation on the effect of
 'require-server-cookie yes;'

---
 doc/arm/Bv9ARM-book.xml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index c6f6ec1835..dc7c11e2db 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -6015,7 +6015,11 @@ options {
 		  Set this to <userinput>yes</userinput> to test that DNS
 		  COOKIE clients correctly handle BADCOOKIE or if you are
 		  getting a lot of forged DNS requests with DNS COOKIES
-		  present.
+		  present. Setting this to <userinput>yes</userinput> will
+		  result in reduced amplification effect in a reflection
+		  attack, as the BADCOOKIE response will be smaller than
+		  a full response, while also requiring a legitimate client
+		  to follow up with a second query with the new, valid, cookie.
 		</para>
 	      </listitem>
 	    </varlistentry>